• Registered: 2016-12-22
  • Posts: 9

Topic: TLS1.2 CIPHER PROBLEM

I am accessing these site using wolfSSL encryption suit


site: inetupload.indsci.com
Encryption: TLS_DHE_RSA_WITH_AES-128_CBC_SHA, 128 BIT, tls1.2
Access status : CANNOT ACCESS IT

site: amazon.com
Encryption: TLS_ECDHE_RSA_WITH_AES-128_GCM_SHA256 , 256BIT, tls1.2
Access status : OK

site: inet.indsci.com
encrpytion: TLS_ECDHE_RSA_WITH_AES-256_CBC_SHA , 256BIT, tls1.2
Access status : OK


I have built WolfSSL for the Ti RTOS with following setting
#define WOLFSSL_SHA512
#define WOLFSSL_SHA384
#define FP_MAX_BITS 8192
#define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA

Do I need to add something else to get connected to the website with following certificate

TLS_DHE_RSA_WITH_AES-128_CBC_SHA, 128 BIT, tls1.2

Share

  • Registered: 2016-12-22
  • Posts: 9

Re: TLS1.2 CIPHER PROBLEM

I get  -313, when I try to access  inetupload.indsci.com

Share

  • Registered: 2016-12-22
  • Posts: 9

Re: TLS1.2 CIPHER PROBLEM

I found that encryption of inetupload.indsci is BUILD_TLS_RSA_WITH_AES_128_CBC_SHA.
I defined it in the wolffSSL settings and rebuild the wolfssl

Now I get -188 error instead of -313.

I searched the net to find -188 error can be fixed by assigning FP_MAX_BITS >=8192. I have given it value of 10192 but still I get the same -188 errror.

Any help in this issue will be highly appreciated.

Share

  • Registered: 2016-12-22
  • Posts: 9

Re: TLS1.2 CIPHER PROBLEM

Is there any help on this issue of -188 Error?

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: TLS1.2 CIPHER PROBLEM

Hi malikfehan123,

So sorry for non-response, I was traveling overseas last week but I am back in the office now!

I scanned the domain in question and it only supports static cipher suites as you found and tried to define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA it looks like you were on the right track. However instead of defining that you should instead use:

#define WOLFSSL_STATIC_RSA

to enable static cipher suites.

A -188 is an ASN NO SIGNER TO CONFIRM FAILURE error. This is typically a result of attempting to do peer authentication with a certificate that was not found in the cert chain sent by the peer. Please make sure to load the correct certificate with 

wolfSSL_CTX_load_verify_buffer

when doing peer authentication. I browsed to the site in question and inspected the page for security details. It looks like the root CA for that domain is: "Avast trusted CA". Please place the "Avast trusted CA" in a cert buffer and load with wolfSSL_CTX_load_verify_buffer when connecting to that site.

Interesting note on: inetupload.indsci.com
If you connect to http://inetupload.indsci.com:443 (Notice HTTP and not HTTPS) you can get a download so you can completely bypass SSL/TLS altogether. If that is your domain I recommend fixing that before going live! If you correctly browse to: https://inetupload.indsci.com:443 then no download and you can view the certificate information


Setting FP_MAX_BITS >=8192 means you have an RSA certificate in your cert chain that is using a 4096-bit RSA key. The examples from TI are fine-tuned for heap/stack use. You may need to bump the size of your stack to allow for this additional RSA-key size as the defaults only use 2048 bit keys if I remember correctly.

Warm Regards,

Kaleb

Kaleb J. Himes's Website

Share